[gnutls-dev] GnuTLS PKCS#11 Engine
Alon Bar-Lev
alon.barlev at gmail.com
Sun May 13 21:41:24 CEST 2007
Hello,
An initial version of gnugls-pkcs11 is available for testing.
It should provide a simple API to access PKCS#11 cryptographic tokens.
I tried to keep the API as simple as I could, by copying some of
gnutls "simple" interface, although I think gnutls interface should be
modified to eliminate the requirement of global variables, and the
programmer to develop a specific code if it uses an engine.
I also cleaned the cli so it will only test the pkcs11 implementation,
I hope to clean this further.
The implementation allows to use several providers at the same time,
support session expiration, token request (if needed), several tokens
at the same time, detect a token if it is removed and insert to a
different slot, loading certificate authorities from token and much
more.
You can download gnutls-pkcs11 from:
http://alon.barlev.googlepages.com/gnutls-pkcs11-0.01.tar.bz2
Generated documentation is available at:
http://alon.barlev.googlepages.com/gnutls-pkcs11-0.01-docs.tar.bz2
In order to compile the engine, you should use the following components:
1. http://josefsson.org/gnutls/releases/pkcs11/gnutls-1.7.8.p11.2.tar.bz2
2. http://www.opensc-project.org/files/pkcs11-helper/pkcs11-helper-1.02.tar.bz2
Configure gnutls with --without-pkcs11-scute, I hope that next branch
will have this off by default.
In order to test gnutls-pkcs11 I use:
$ ./configure GNUTLS_CFLAGS="-I${GNUTLS_HOME}/include"
GNUTLS_LIBS="-L${GNUTLS_HOME}/lib -lgnutls"
In order to test, use:
LD_LIBRARY_PATH="${GNUTLS_HOME}/lib" src/gnutls-pkcs11-cli
--add-provider=/usr/lib/pkcs11/<provider> --cmd=ids
You will get available certificates that may be used, look at the:
PKCS#11 ID: XXXX
Now:
$ LD_LIBRARY_PATH="${GNUTLS_HOME}/lib" src/gnutls-pkcs11-cli
--add-provider=/usr/lib/pkcs11/<provider> --cmd=connect
--host=localhost --port=5556 --pkcs11-id='XXXX'
Where XXXX is the id selected from the list. Please note the single
quote, it is required so sh will not mess with the backslashes.
If it does not work for you, please add --debug=5 and send me the log.
Any comments/suggestions are appriciated!
Best Regards,
Alon Bar-Lev.
More information about the Gnutls-devel
mailing list